I don't know if anyone else has had any experience with this virus but it is relatively new.
It's being identified as Trj/Agent.JEN by Panda solutions.

It's basically an email that comes through claiming to be a UPS Invoice. Users open the attached file and the virus replaces userinit.exe and possibly msconfig.exe. It then contacts 2 other servers to download a rootkit and malware (antivirusxp 2008/2009).

It's currently not being detected by Norton Antivirus 9.x/10.x and is giving us some concerns. We've only had 2 systems infected so far but with our AV not detecting it, it's obviously a worry.

It still seems to be doing the rounds at the moment. I've had a number of calls at our remote sites (not under our domain or AD, nor do they have any filtering) reporting this virus. It would seem that XPAntivirus2008/XPSecuritycentre is the main indication to if the machine has been infected.
I've cleaned a number of machines and found a number of various rootkits, trojans and other viruses present. However, none of which seem to follow a pattern. For example,

Remote Site 1) Infected with XPAntivirus2008, Trojan.Blusod, Trojan.Pandex and Joke.Blusod (added by trojan.Blusod).

I'm seeing alot of the xpav stuff around here - its not just coming through emails. I had it attempt to d/l driveby style on my linux machine. It actually popped up after visiting a website (researching a file) and it told me I had a bunch of w32.*** viruses and 170 some registry errors. I wonder if there isn't a spambot out there sending the stuff too. It is pretty profitable - at least half my customers have clicked and installed, and a few of those even gave them their CC info

I haven's seen any yet but this is exactly like the bank account phishing.

In the same manner as a bank *never* emails requests for PII and
account info, UPS *never* sends attachments to their email. The email
*is* the invoice and all the info is self-contained.

For those of us who make money from cleaning up the mess, itís sort of a
windfall but it's just another example of how gullible the human animal is.
That we would open up an *e-invoice*, when we know we never had
anything shipped, is almost ludicrous.

I mean Geez - every UPS email that concerns a shipment has a tracking
number in the body of the email. Anyone with half an ounce of logic would
know that it is missing and would call UPS about it.

The UPS and Customs variants were only ever likely to catch people who might have half expected something, maybe an e-Bay order and the like.

A very similar variation was going around about confirmation of airline ticket purchase for several hundred dollars. This is much more likely (IMHO) to have caught more people, on the basis that they might think "well I know I did not order anything, so maybe someone else has used my credit card or email information. I better check what's going on so I can stop this fraudulent payment". 1, 2, 3 - 0wn3d!

Darkside, I don't have a [polite] answer for why this would get past Norton. My only comment would be that all AV has a flaw if it tries to rely on updating lists of bad things faster than they can spread. Of course, if you have AV1 and you get no virusses, it must be working, right?

What I have always said is "developers, developers, developers." Develop secure code!

Just kidding. But in all seriousness now, the only real way to mitigate such risks is with Defense-in-Depth. Make the landscape for infection as small as possible. Use IPSec. Use outbound filtering. Use patching methodologies. Educate your users. Prevent malicious code from entering at the border. If an infection does occur, prevent its prorogation with the correct security policies.

An Antivirus package is only as good as its heuristic engine and the last updated definition file. This is why I never pay for home AV software.

Yes ...It downloads a rootkit in order to hide itself in the system and a rogue antivirus which alerts users of unexisiting threats in the computer. It does not spread automatically using its own means.